agenttesla | 43b957e57a959571b4ee4dedf823b4122dd2774b1290daa5848a4ea830673124

General

Target

DHL_AWB_NO_#907853880911_pdf .exe
Size

18KB
MD5

16b03e4e5bc0ff1dbef3918cfad2b735
SHA1

fcba7690aa8b5fd59530018117c9a23d1d9479d8
SHA256

43b957e57a959571b4ee4dedf823b4122dd2774b1290daa5848a4ea830673124
SHA512

99e5980733a2c1416e0cd5d498549ef6dbc1b52ecbb7c9fdcd828dc1f3c14e3f9fd80bece1e393ae1b87a8084936c2356e213cb0771d25fd3c68eabf13de0c79
SSDEEP

192:HaTdQS53M58auD28GSALhtGfygJrBhIf3jdZ:6TuS53uuDV2LhtGfygJ8fTd

Score

10^/10

agenttesla purecrypter collection downloader keylogger loader spyware stealer trojan

Malware Config

Extracted

Family

purecrypter

C2

http://45.84.1.117/3478/Uwdznaoe.png

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5846767138:AAHbrIUF1epdWlFQ2_64LCd8vdF121y1XGE/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2652	powershell.exe
2652	powershell.exe
2652	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	DHL_AWB_NO_#907853880911_pdf .exe
Token: SeDebugPrivilege	2652	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2652	2172	DHL_AWB_NO_#907853880911_pdf .exe	66
PID 2172 wrote to memory of 2652	2172	DHL_AWB_NO_#907853880911_pdf .exe	66
PID 2172 wrote to memory of 2652	2172	DHL_AWB_NO_#907853880911_pdf .exe	66

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe

C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO_#907853880911_pdf .exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO_#907853880911_pdf .exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zodubwav.j03.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2172-121-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2172-123-0x0000000005540000-0x00000000055F4000-memory.dmp

Filesize
720KB

Download
memory/2172-124-0x00000000056F0000-0x000000000570A000-memory.dmp

Filesize
104KB

Download
memory/2172-125-0x00000000057E0000-0x0000000005802000-memory.dmp

Filesize
136KB

Download
memory/2172-126-0x0000000005810000-0x0000000005B60000-memory.dmp

Filesize
3.3MB

Download
memory/2172-122-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/2172-166-0x0000000006E20000-0x0000000006FE2000-memory.dmp

Filesize
1.8MB

Download
memory/2172-165-0x0000000006B30000-0x0000000006B80000-memory.dmp

Filesize
320KB

Download
memory/2172-164-0x0000000006480000-0x000000000648A000-memory.dmp

Filesize
40KB

Download
memory/2172-163-0x0000000006520000-0x00000000065B2000-memory.dmp

Filesize
584KB

Download
memory/2172-162-0x00000000065E0000-0x0000000006ADE000-memory.dmp

Filesize
5.0MB

Download
memory/2172-161-0x0000000005400000-0x0000000005430000-memory.dmp

Filesize
192KB

Download
memory/2172-154-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/2652-129-0x0000000004880000-0x00000000048B6000-memory.dmp

Filesize
216KB

Download
memory/2652-137-0x0000000008090000-0x0000000008106000-memory.dmp

Filesize
472KB

Download
memory/2652-152-0x00000000096B0000-0x0000000009D28000-memory.dmp

Filesize
6.5MB

Download
memory/2652-153-0x00000000082E0000-0x00000000082FA000-memory.dmp

Filesize
104KB

Download
memory/2652-136-0x0000000008160000-0x00000000081AB000-memory.dmp

Filesize
300KB

Download
memory/2652-155-0x0000000004500000-0x0000000004510000-memory.dmp

Filesize
64KB

Download
memory/2652-156-0x0000000004500000-0x0000000004510000-memory.dmp

Filesize
64KB

Download
memory/2652-135-0x00000000077B0000-0x00000000077CC000-memory.dmp

Filesize
112KB

Download
memory/2652-134-0x0000000007720000-0x0000000007786000-memory.dmp

Filesize
408KB

Download
memory/2652-133-0x0000000007020000-0x0000000007086000-memory.dmp

Filesize
408KB

Download
memory/2652-132-0x0000000004500000-0x0000000004510000-memory.dmp

Filesize
64KB

Download
memory/2652-131-0x0000000004500000-0x0000000004510000-memory.dmp

Filesize
64KB

Download
memory/2652-130-0x00000000070F0000-0x0000000007718000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads